Win32.induc virus targets Delphi development environment

Sunbelt Software is warning of incipient attacks through development environments as latest virus targets software as its being written

Sunbelt Software, a provider of Windows security software, has issued a warning to users and software developers following the discovery of a virus that targets development environments in order to infiltrate applications at the point they are written and compiled.

The virus, dubbed Win32.Induc, was written to infect applications built with the popular Windows-based development environment Delphi and has been in circulation for some time. The virus is known to affect versions of Delphi up to 7.0. Sunbelt Software's VIPRE product line is currently detecting the infected executables caused by Win32.Induc.

When a Win32.Induc-infected application is run on a PC, the virus searches for a Delphi installation and attaches itself to it. Any software compiled by the infected Delphi will then also carry a copy of Win32.Induc, allowing the virus to spread in the application executable.

"The point that the industry seems to have missed is that this virus may have been circulating for a while and therefore could already be embedded in a lot of applications in circulation online, on cover discs and pre-installed on new PCs," said Michael St. Neitzel, VP of Threat Research and Technologies at Sunbelt Software.

Although no payload is deployed and no destructive act carried out on data or applications, the replication and infection will cause disruption as functional applications and files are quarantined by antivirus software as infected, pending disinfection.

"This is a real challenge for antivirus vendors and those on the receiving end. When AV scanners start identifying applications as "infected" with Win32.Induc it's an open question whether or not the scanners can clean them. If they can't, the original developers are going to be required to get the infection out of their Delphi compilers, recompile the applications and get the clean code back to their customers. Given there could be different versions of the infected applications in circulation, this is going to be a real nightmare for some companies to deal with," St. Neitzel added.

Popular freeware and shareware executables infected with the Win32.Induc virus have found their way on to certain magazine cover discs including Any TV Free 2.41 and Tidy Favorites 4.1. Uninfected versions of both applications are now available; however, CDs and DVDs are still in circulation containing infected versions of the executables.

Sunbelt recommends that enterprises using Delphi scan production machines with VIPRE, remove any possible infections then recompile executables that were distributed to customers. Customers should be notified. Remember that the virus also might remain in back-up images. Infections could have begun as early as the spring of 2008.